b'            versight\n\n            eport\n\n        CONTRACTOR SELF-GOVERNANCE PROGRAMS\n\n\nReport Number D-2000-6-006             April 25, 2000\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c   Additional Copies\n\n   To obtain additional copies of this evaluation report, contact the Secondary\n   Reports Distribution Unit of the Audit Followup and Technical Support\n   Directorate at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932 or visit the\n   Inspector General, DoD Home Page at: www.dodig.osd.mil.\n\n   Suggestions for Future Evaluations\n\n   To suggest ideas for or to request future evaluations, contact the Audit Followup\n   and Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n   fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                 OAIG-AUD (ATTN: AFTS Evaluation Suggestions)\n                    Inspector General, Department of Defense\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-2885\n\n   Defense Hotline\n\n   To report fraud, waste, or abuse, contact the Defense Hotline by calling\n   (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n   by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n   The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nAICPA                American Institute of Certified Public Accountants\nCAS                  Cost Accounting Standard\nDCAA                 Defense Contract Audit Agency\nDCAM                 DCAA Contract Audit Manual\nDCMA                 Defense Contract Management Agency\nDFARS                Defense Federal Acquisition Regulation Supplement\nDLA                  Defense Logistics Agency\nFAR                  Federal Acquisition Regulation\nSAS                  Statement on Auditing Standards\n\x0c\x0c                             Office of the Inspector General, DoD\nReport No. D-2000-6-006                                                     April 25, 2000\n   (Project No. 9OC-9006)\n\n                            Contractor Self-Governance Programs\n\n                                    Executive Summary\n\nIntroduction. DoD prime contract awards for more than $25,000 totaled $125 billion during\nFY 1999. A properly implemented and effective contractor self-governance program allows\nDoD to limit its oversight of the acquisition process. Self-governance, also known as\ncorporate governance, is a process through which a company takes responsibility for\nimplementing and enforcing legal and ethical conduct. The key component of self-governance\nis a strong and effective ethics program. An ethics program consists of policies and\nprocedures that define and implement the company\xe2\x80\x99s code of conduct. An ethics program\nshould establish a culture within a company that promotes prevention, detection, and resolution\nof instances of conduct that do not conform to Federal, State, and local law; Federal and DoD\ncontract regulations; and the company\xe2\x80\x99s own internal ethical and business policies and\nprocedures.\n\nEvaluation Objectives. The objective of the evaluation was to determine the adequacy of the\nDefense Contract Audit Agency reviews and reports on contractor self-governance programs.\n\nEvaluation Results. The Defense Contract Audit Agency performs a review of a contractor\xe2\x80\x99s\nethics program as part of its internal control system review of the control environment and\naccounting system. The review did not, however, cover all elements of a management control\nsystem as defined in the Defense Federal Acquisition Regulation Supplement subpart 203.70,\n\xe2\x80\x9cContractor Standards of Conduct.\xe2\x80\x9d Therefore, although the internal control review covered\nthe areas noted in the auditing standards, it did not address the additional areas unique to the\nDoD business environment. In addition, the audit coordination process between audit offices\ncognizant of certain contractor corporate offices and those cognizant of related contractor\nentities needed improvement. Finally, improvements could have been made to the testing of\ncontrols for certain audit steps. For details of the evaluation results, see the Finding section of\nthe report.\n\nManagement Actions. In May 1999, the Defense Contract Audit Agency clarified its audit\nguidance for testing controls. Management agreed to revise existing audit guidance to ensure\nappropriate coverage of the criteria in Defense Federal Acquisition Regulation Supplement\n203.7001, \xe2\x80\x9cProcedures.\xe2\x80\x9d Management will also clarify guidance on audit coordination\nbetween offices cognizant of certain contractor corporate offices and those cognizant of related\ncontractor entities. These actions are fully responsive to our concerns; therefore, no\nrecommendations have been made.\n\nManagement Comments. We provided a draft of this report on March 13, 2000. Because this\nreport contains no recommendations, no written comments were required, and none were\nreceived. Therefore, we are publishing this report in final form.\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\nIntroduction\n     Background                                                          1\n     Objectives                                                          3\n\nFinding\n     Defense Contract Audit Agency Audit Coverage of Contractor Ethics\n       Program                                                           4\n\nAppendixes\n     A. Evaluation Process\n         Scope                                                           10\n         Methodology                                                     10\n         Prior Coverage                                                  11\n     B. Report Distribution                                              12\n\x0cBackground\n    DoD annually conducts business with thousands of prime contractors and\n    hundreds of thousands of other suppliers, vendors, and subcontractors. In\n    FY 1999, DoD prime contract awards for more than $25,000 totaled\n    $125 billion. The top 25 contractors and their subsidiaries received $58 billion,\n    or 46.4 percent of all contract awards for more than $25,000. The top 100 DoD\n    contractors and their subsidiaries received $75.5 billion, or 60.3 percent of all\n    awards, primarily for aircraft, missile/space systems, ships, and electronics and\n    communications equipment. For DoD to successfully procure and distribute all\n    the goods and services it requires, DoD and its contractors must work\n    harmoniously with each other. No matter how many auditors, inspectors,\n    investigators, and procurement or contracting officials DoD employs, they\n    cannot fully oversee DoD contractors and completely protect DoD and the\n    taxpayers\xe2\x80\x99 interests on their own. Although DoD oversight is needed, the\n    process can work efficiently and effectively only if contractors implement\n    appropriate self-governance activities.\n\n    Self-governance, also known as corporate governance, is a process through\n    which a company takes responsibility for implementing and enforcing legal and\n    ethical conduct. The key component of self-governance is a strong and effective\n    ethics program. An ethics program consists of policies and procedures that\n    define and implement the company\xe2\x80\x99s code of conduct. As part of the process, a\n    company should also implement compliance monitoring systems. An ethics\n    program should establish a culture within a company that promotes prevention,\n    detection, and resolution of conduct that does not conform to Federal, State, and\n    local law; Federal and DoD contract regulations; and the company\xe2\x80\x99s own\n    internal ethical and business policies and procedures.\n\n    Packard Commission. In response to reported DoD contractor abuses, the\n    President\xe2\x80\x99s Blue Ribbon Commission on Defense Management (the Packard\n    Commission) was formed in 1985 to review DoD industry relations and make\n    recommendations for improvements. In 1986, the Packard Commission issued\n    its final report, which stated that major improvements in contractor self-\n    governance were essential. The report recommended that contractors issue and\n    enforce written codes of conduct addressing their unique situations; establish\n    procedures for employees to report apparent misconduct directly to senior\n    management or the audit committee; provide training to employees on internal\n    policies and procedures relating to ethics; establish compliance monitoring\n    systems; develop and implement a system of internal controls relating to its\n    ethics program; and give the independent audit committee the responsibility for\n    overseeing corporate compliance programs.\n\n    Defense Industry Initiatives on Business Ethics and Conduct. In response to\n    the Packard Commission report, DoD industry leaders committed themselves to\n    adopting and implementing principles of business ethics and conduct that\n    address their corporate responsibilities under Federal procurement laws. Many\n    large DoD contractors joined and pledged to establish and adhere to written\n    codes of ethics; train their employees in these codes; encourage employees to\n    report violations of the codes without fear of retribution; monitor compliance\n    with laws relating to DoD procurement; adopt procedures for voluntary\n    disclosure of violations and take needed corrective actions; participate in an\n\n                                        1\n\x0cannual best practices forum to share experiences in implementing the initiatives;\nand have outside or nonemployee members on their boards of directors review\ncompliance with the initiatives.\n\nManagement Controls for an Ethics Program. The Defense Federal\nAcquisition Regulation Supplement (DFARS) subpart 203.70, \xe2\x80\x9cContractor\nStandards of Conduct,\xe2\x80\x9d provides elements of a system of management controls\nfor a contractor ethics program. These elements closely parallel those\nestablished by the Defense Industry Initiatives, including:\n\n       \xe2\x80\xa2   a written code of business ethics and conduct and an ethics training\n           program for all employees;\n\n       \xe2\x80\xa2   periodic reviews of company business practices, procedures and\n           policies, and internal controls for compliance with standards of\n           conduct;\n\n       \xe2\x80\xa2   a mechanism such as a hotline for employees to report suspected\n           improper conduct, and instructions that encourage employees to\n           make such reports;\n\n       \xe2\x80\xa2   internal and external audits, as appropriate;\n\n       \xe2\x80\xa2   disciplinary action for improper conduct;\n\n       \xe2\x80\xa2   timely reporting to appropriate Government officials of any suspected\n           or possible violation of law in connection with Government contracts\n           or any other irregularities in connection with such contracts; and\n\n       \xe2\x80\xa2   full cooperation with any Government agencies responsible for either\n           investigation or corrective actions.\n\nIf properly implemented, these elements should promote an effective ethics\nprogram.\n\nContract Awards. Federal Acquisition Regulation (FAR) subpart 9.1,\n\xe2\x80\x9cResponsible Prospective Contractors,\xe2\x80\x9d provides policies, procedures, and\nstandards for determining whether a prospective contractor is responsible. The\nFAR requires contracting officers to determine that prospective contractors are\nresponsible. One of the seven standards in FAR 9.104-1 for determining\nresponsibility is that the contractor must have a satisfactory record of integrity\nand business ethics.\n\nDoD Use of Contractor Ethics Program Information. Current regulations do\nnot require other DoD agencies and departments, such as the Defense Contract\nManagement Agency (DCMA), to routinely review or use information directly\nrelated to a contractor\xe2\x80\x99s ethics program during the contracting process.\nContracting officers can consider relevant information, if available, during\ndetermination of a prospective contractor\xe2\x80\x99s present responsibility or evaluation\nof a contractor\xe2\x80\x99s past performance. In the past, the Defense Logistics Agency\n(DLA) Office of General Counsel has reviewed some contractor ethics programs\non request. However, the DLA Office of General Counsel headquarters\npersonnel have not been requested to perform an ethics program review since\n1996. In general, DoD officials responsible for establishing settlement\n                                      2\n\x0c     agreements make the most direct use of information about a contractor\xe2\x80\x99s ethics\n     program. These officials may review a contractor\xe2\x80\x99s ethics program before and\n     after developing a settlement agreement in lieu of suspension or debarment. As\n     part of this process, DoD officials may use Defense Contract Audit Agency\n     (DCAA) internal control system reports containing information on a contractor\xe2\x80\x99s\n     ethics program. Such information may also be helpful if a situation arises\n     involving application of the Federal sentencing guidelines.\n\nObjectives\n     The overall evaluation objective was to determine the adequacy of the DCAA\n     reviews and reports on contractor self-governance programs. Specifically, we\n     determined whether DCAA appropriately assessed and reported on the adequacy\n     of contractor self-governance programs, such as employee awareness training,\n     contractor hotlines, and voluntary disclosures. See Appendix A for a discussion\n     of the evaluation scope and methodology and prior coverage.\n\n\n\n\n                                        3\n\x0c           Defense Contract Audit Agency Audit\n           Coverage of Contractor Ethics Program\n\n           Since FY 1995, the DCAA has performed reviews of a contractor\xe2\x80\x99s\n           ethics program as part of its internal control system reviews of the\n           control environment and accounting system. The review did not,\n           however, cover all elements of a management control system as defined\n           in the DFARS. Therefore, although the internal control system review\n           covered the areas noted in the auditing standards, it did not address the\n           additional areas unique to the DoD business environment. The audit\n           coordination between DCAA offices cognizant of corporate locations and\n           those offices cognizant of associated contractor entities also needed\n           improvement. Finally, we identified instances at each of the three\n           offices visited where improvements could have been made to the testing\n           of internal controls. Procedures for coordinating audit work did not\n           adequately address some situations involving corporate offices and\n           associated contractor entities. Weaknesses in performing compliance\n           testing when needed were caused by unclear audit guidance; however,\n           during our evaluation, DCAA management clarified the pertinent\n           guidance, resolving the issue. Enhanced audit coverage of a contractor\xe2\x80\x99s\n           control environment will lead to improved risk assessments and allow\n           DCAA to better allocate its limited audit resources to higher-risk\n           contractors with inadequate ethics programs. In addition, by performing\n           additional audit work to include the DFARS criteria, DCAA can provide\n           information to contracting officers and DoD officials that can be used to\n           evaluate a contractor\xe2\x80\x99s past performance and present responsibility. This\n           additional information can also be the basis for increasing or decreasing\n           Government oversight at a contractor location.\n\nInternal Control System Audit and Risk Assessment\n    Government auditing standards require auditors to obtain a sufficient\n    understanding of the contractor internal control structure as a basis for assessing\n    risk. The auditor uses this assessment of control risk to properly plan the audit\n    and to determine the nature, timing, and extent of the testing needed.\n\n    Internal Control System Review Process. In FY 1995, DCAA instituted a\n    new process for assessing and documenting the control risk for major\n    contractors. The new process incorporated the requirements of the Statement on\n    Auditing Standards (SAS) No. 55, \xe2\x80\x9cConsideration of the Internal Control\n    Structure in a Financial Statement Audit,\xe2\x80\x9d for assessing control risks. The\n    DCAA determined that 10 common accounting and management systems existed\n    in the contract audit environment. The 10 systems selected for standard internal\n    control reviews included: control environment and overall accounting controls,\n    general electronic data processing system, budget and planning system,\n    purchasing system, material system, compensation system, labor system,\n    indirect and other direct cost system, billing system, and estimating system.\n\n\n\n                                         4\n\x0c     The DCAA then established standard control objectives and associated audit\n     procedures for each system. DCAA included the following factors in its\n     assessment of the control environment:\n\n            \xe2\x80\xa2   integrity and ethical values,\n\n            \xe2\x80\xa2   board of directors or audit committee participation,\n\n            \xe2\x80\xa2   organizational structure, and\n\n            \xe2\x80\xa2   assignment of authority and responsibility.\n\nSAS No. 78, \xe2\x80\x9cConsideration of Internal Control in a Financial\n  Statement Audit: An Amendment to SAS No. 55\xe2\x80\x9d\n     The American Institute of Certified Public Accountants (AICPA) auditing\n     standards define internal control as a \xe2\x80\x9cprocess--effected by an entity\xe2\x80\x99s board of\n     directors, management, and other personnel designed to provide reasonable\n     assurance regarding the achievement of objectives in the following categories:\n     (a) reliability of financial reporting, (b) effectiveness and efficiency of\n     operations, and (c) compliance with applicable laws and regulations.\xe2\x80\x9d Internal\n     control consists of the control environment, risk assessment, control activities,\n     information and communication, and monitoring.\n\n     Control Environment. The control environment functions as the foundation\n     for the other four components. It establishes the organizational tone that\n     influences employee values and decisionmaking and provides discipline and\n     structure. The auditor should consider the following factors in evaluating an\n     entity\xe2\x80\x99s control environment:\n\n            \xe2\x80\xa2   integrity and ethical values,\n\n            \xe2\x80\xa2   commitment to competence,\n\n            \xe2\x80\xa2   board of directors or audit committee participation,\n\n            \xe2\x80\xa2   management philosophy and operating style,\n\n            \xe2\x80\xa2   organizational structure,\n\n            \xe2\x80\xa2   assignment of authority and responsibility, and\n\n            \xe2\x80\xa2   human resource policies and practices.\n\n     Other Considerations. The auditor must also assess internal controls in light of\n     the entity\xe2\x80\x99s size; organizational and ownership characteristics; the nature of the\n     entity\xe2\x80\x99s business; the diversity and complexity of the entity\xe2\x80\x99s operations; the\n     entity\xe2\x80\x99s methods of transmitting, processing, maintaining, and accessing\n     information; and applicable legal and regulatory requirements.\n\n     An effective control environment should reduce the chance of improper conduct\n     by management. Custom, corporate culture, and the corporate governance\n                                            5\n\x0c    system can hinder, but not completely prevent, management from performing\n    irregularities. A control environment consisting of an effective board of\n    directors, audit committee, and internal audit department should also diminish\n    the possibility of irregularities. On the other hand, a control environment or\n    corporate culture can minimize the effectiveness of other elements of the\n    internal control system. For instance, management incentives based on\n    increases in stock value could result in irregularities.\n\n    Tests of Controls. The auditor should consider both the essence of the controls\n    and their impact as a whole. Because entities may write policies establishing\n    controls but not properly implement the controls, auditors should concentrate on\n    understanding the substance of the controls (how they are implemented) versus\n    their form (what the policies say).\n\nDCAA Audit Guidance\n    Current DCAA audit guidance does not consider all the criteria listed in DFARS\n    203.7001 as applicable to a good management control system. The standard\n    audit guidance in the \xe2\x80\x9cDCAA Contract Audit Manual,\xe2\x80\x9d DCAAM 7640.1\n    (DCAM) partially addresses five elements and does not cover the remaining two\n    elements. By revising the audit guidance to include all the elements listed in the\n    DFARS, DCAA internal control reviews and the associated risk assessments\n    will provide a more complete picture of a DoD contractor\xe2\x80\x99s control\n    environment. Specifically, we asked DCAA management to consider the\n    following revisions:\n\n           \xe2\x80\xa2   Enhancing guidance, to include requesting a system description from\n               the contractor, if available. (DFARS 203.7001[a])\n\n           \xe2\x80\xa2   Adding guidance to verify that a contractor\xe2\x80\x99s ethics training program\n               covers all employees. (DFARS 203.7001[a][1])\n\n           \xe2\x80\xa2   Adding guidance to verify that the contractor has policies and\n               procedures in place that require timely reporting to appropriate\n               Government officials of any suspected or possible violation of law or\n               suspected irregularity in connection with a Government contract.\n               (DFARS 203.70001[a][6])\n\n           \xe2\x80\xa2   Adding guidance to verify that the contractor has policies and\n               procedures that require full cooperation with any Government agency\n               responsible for investigations or corrective actions. (DFARS\n               203.7001[a][7])\n\n           \xe2\x80\xa2   Enhancing or clarifying existing guidance to specify that the auditor\n               should determine whether the contractor has an internal reporting\n               mechanism, such as a hotline, that employees can use to report\n               suspected instances of improper conduct, and whether employees are\n               encouraged to do so. (DFARS 203.7001[a][3])\n\n           \xe2\x80\xa2   Enhancing or clarifying existing guidance to emphasize that the\n               contractor should conduct periodic reviews of company business\n\n\n                                        6\n\x0c               practices, procedures, policies, and internal controls for compliance\n               with standards of conduct and unique requirements of Government\n               contracting. (DFARS 203.7001[a][2])\n\n           \xe2\x80\xa2   Clarifying existing guidance of internal audits being performed.\n               (DFARS 203.7001[a][4])\n\n           \xe2\x80\xa2   Clarifying existing guidance of external reviews being performed\n               relating to a contractor\xe2\x80\x99s ethics program instead of the internal\n               control system. (DFARS 203.7001[a][4])\n\n           \xe2\x80\xa2   Adding an audit step to determine whether the contractor posts the\n               DoD Hotline poster if it does not have an internal reporting\n               mechanism. (DFARS 203.7001[b])\n\nDCAA Audit Coverage\n    Board of Directors, Audit Committee, and Internal Audit Staff. Our review\n    found that at one of the three fieldwork locations, the audit coverage of this area\n    could be improved with better audit guidance. Existing guidance does not\n    differentiate between reviewing the board of directors and the audit committee.\n    Each group performs different control activities. In addition, external groups\n    such as the AICPA, the Institute of Internal Auditors, and the Securities and\n    Exchange Commission have increased their emphasis on the importance of the\n    audit committee, providing additional guidelines for audit coverage that may not\n    have existed 4 years ago. Therefore, we suggested to DCAA management that\n    they consider amending the existing audit guidance as follows:\n\n           \xe2\x80\xa2   Revise guidance to provide a separate review of the board of\n               directors and the audit committee. The review should concentrate on\n               the audit committee and its interaction with the internal audit staff\n               because additional emphasis is now being placed in this area. For\n               instance, the audit committee should have a charter, be independent\n               of company management, and take an active role in overseeing the\n               internal audit department. The internal audit manager should meet\n               privately at least once a year with the chair of the audit committee to\n               discuss any sensitive issues.\n\n           \xe2\x80\xa2   Revise coverage of the internal audit staff. The first audit step\n               should be to determine whether the internal audit staff performed any\n               reviews in this area. If the internal audit staff has not reviewed the\n               ethics program, the review of its function should be minimal at this\n               time. General areas to be covered should include independence,\n               objectivity, scope of work, management of the department, and the\n               followup system for audit recommendations.\n\n    DCAA Audit Process. DCAA classifies contractor entities as either major or\n    nonmajor, depending on the annual auditable dollar amounts at each entity. For\n    instance, a major contractor is one that has $80 million or more in annual\n    auditable dollars. The audit risk assessment process for nonmajor contractors is\n    different from the process DCAA uses for major contractors. For nonmajor\n    contractors, the audit office may use a short form internal control questionnaire\n\n                                         7\n\x0c    or perform the internal control system review(s) already described. The short\n    form internal control questionnaire is primarily an information-gathering device\n    with no independent review required. Although the short form requires less\n    audit effort, it provides less independently analyzed audit evidence. For many\n    nonmajor contractors, the short form is acceptable; however, in certain cases,\n    the complete internal control system review is beneficial. One example is when\n    a corporate office is classified as nonmajor, but one or more of its divisions,\n    subsidiaries, group offices, or other entities is considered a major contractor.\n    Auditors located at the corporate office should obtain the information and\n    perform the analyses required to properly complete some parts of the internal\n    control system review for the control environment and the accompanying risk\n    assessment that affects similar reviews for all of the contractor\xe2\x80\x99s entities.\n\n    Evaluation Results. Two locations we reviewed had nonmajor corporate\n    offices audited by another DCAA office. One office requested an assist audit\n    from the office cognizant of the corporate office. The other office obtained\n    relevant information in a less formal manner. The audit office that used an\n    informal process did not receive sufficient, relevant information for all of the\n    required audit program steps. However, the audit office that requested an assist\n    audit received an audit report addressing all of the requested audit program\n    steps. The deficiencies identified at both offices in the information received\n    were caused by the existing audit program or the method used to coordinate\n    information requirements between the two offices. Audit coverage of nonmajor\n    corporate entities could be improved by revising existing audit guidance to\n    require the DCAA audit office cognizant of the major contractor entity to\n    formally request an assist audit from the DCAA office cognizant of the\n    nonmajor corporate office. By requesting an assist audit, the DCAA office\n    responsible for performing the internal control system review could specify\n    exactly the information required from the other DCAA office. This would\n    result in a more thorough system review and risk assessment.\n\n    Compliance Testing During the Internal Control Review of the Control\n    Environment. We noted improvements that DCAA could make in performing\n    compliance testing at all three locations. At each location, DCAA auditors\n    could have better executed certain audit steps if compliance testing had been\n    done. For instance, at one location, the auditor accepted the contractor-\n    provided list of employees who had attended ethics training without checking\n    other records such as employee personnel files. The lack of compliance testing\n    during certain internal control system reviews was reported previously in\n    Evaluation Report No. PO 98-6-016, \xe2\x80\x9cDefense Contract Audit Agency Audits\n    of Indirect Costs at Major Contractors,\xe2\x80\x9d August 8, 1998. DCAA management\n    had agreed to clarify guidance dealing with compliance testing (tests of\n    controls). On May 10, 1999, DCAA issued Memorandum for Regional\n    Directors 99-PIC-057(R) that notified the regional offices of the revisions. In\n    the January 2000 DCAM, DCAA revised chapter 5-108, \xe2\x80\x9cTest of Controls.\xe2\x80\x9d\n    We agree with DCAA management that the revision should improve\n    implementation of the audit guidance in the field.\n\nPlanned Management Actions\n    We met with DCAA management to discuss our findings, concerns, and\n    potential recommendations. DCAA managers were open to suggestions for\n\n                                        8\n\x0c   improving its audit guidance. They agreed to revise existing DCAA guidance to\n   ensure appropriate coverage of DFARS subpart 203.70. They have also agreed\n   to revise the standard audit program to clarify the audit responsibilities for\n   DCAA offices cognizant of both nonmajor contractor corporate offices with\n   major entities and those offices cognizant of the associated major entities. We\n   appreciate the timely action taken by DCAA management to address these\n   issues. We consider the planned management actions to be fully responsive to\n   our concerns; therefore, no recommendations have been made.\n\nSummary\n   Government auditing standards require the auditor to obtain a sufficient\n   understanding of the contractor\xe2\x80\x99s internal control structure as a basis for\n   assessing audit risk. The auditor is to use this assessment to properly plan the\n   audit and determine the nature, timing, and extent of testing needed. A key part\n   of this process is the internal control system review and the associated risk\n   assessment of the contractor\xe2\x80\x99s overall control environment. The control\n   environment for a DoD contractor includes its ethics program and other self-\n   governance activities. By enhancing audit coverage to ensure coverage of the\n   management control system described in DFARS subpart 203.70, DCAA will\n   improve its risk assessment of the control environment. This will allow DCAA\n   audit offices to better use their limited audit resources to review high-risk\n   contractors. DCAA will also be able to provide more detailed information on a\n   contractor\xe2\x80\x99s ethics program in internal control system reports to contracting\n   officers. Contracting officers can use this information during the preaward\n   process to help evaluate a contractor\xe2\x80\x99s present responsibility or past\n   performance. DoD may also be able to use this information to determine the\n   appropriate level of DoD oversight needed at a particular contractor location.\n\n\n\n\n                                      9\n\x0cAppendix A. Evaluation Process\n\nScope\n    The evaluation was reannounced under Project No. 90C-9006 on\n    April 29, 1999. During the evaluation, we visited three DCAA audit offices\n    responsible for major contractors and one office cognizant of a corporate office.\n    We reviewed selected portions of various audit assignments relating to\n    contractor ethics programs. We reviewed the following audit assignments and\n    related documentation:\n\n           \xe2\x80\xa2   reviews of internal controls for the control environment and overall\n               accounting system;\n\n           \xe2\x80\xa2   internal control audit planning summary forms for the control\n               environment and overall accounting system;\n\n           \xe2\x80\xa2   Cost Accounting Standard (CAS) audits, including CAS 405,\n               \xe2\x80\x9cAccounting for Unallowable Costs,\xe2\x80\x9d and CAS 418, \xe2\x80\x9cAllocation of\n               Direct and Indirect Cost\xe2\x80\x9d; and\n\n           \xe2\x80\xa2   audits and reports on incurred costs.\n\n    We met with the DCMA headquarters representatives to discuss reviews of\n    contractors\xe2\x80\x99 ethics programs. We also met with the DLA Office of General\n    Counsel to determine their level of involvement and information available on\n    contractors\xe2\x80\x99 ethics programs and reviews conducted.\n\n    Our initial objectives included determining how DoD relies on contractor self-\n    governance programs such as an ethics program. However, after performing\n    fieldwork, we emphasized the DCAA role in evaluating and reporting on a\n    contractor\xe2\x80\x99s ethics program. A summary of how DoD uses such information\n    can be found in the Background section of this report.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Defense Contract Management high-risk area.\n\nMethodology\n    Use of Computer-Processed Data. We relied on data we received from the\n    DCAA Agency Management Information System. Based on our previous\n    reviews of the accuracy of DCAA data in the Inspector General, DoD,\n    Semiannual Report to Congress and the actions DCAA has taken in response to\n    conditions identified, we considered the data adequate for our review.\n\n    Universe and Sample Selection. We judgmentally selected three major\n    contractor entities, each from a different DCAA region. We visited the three\n    audit offices cognizant of the selected contractor entity and either visited or\n    requested information from the audit office cognizant of the corporate records.\n                                       10\n\x0c    When selecting a contractor entity to be reviewed, we also considered a\n    contractor\xe2\x80\x99s size (dollar amount of contract awards), participation in a voluntary\n    disclosure program, and other information on its ethics program.\n\n    We also judgmentally selected, for a limited review, 25 additional major\n    contractor entities that had nonmajor corporate offices. We obtained\n    information from the DCAA office cognizant of the major contractor entity to\n    determine how that office completed the portion of the control environment\n    review dealing with corporate office functions.\n\n    We also judgmentally selected 14 SFs 1403, \xe2\x80\x9cPreaward Survey of Prospective\n    Contractor (General),\xe2\x80\x9d from 3 DCMA locations. We reviewed the sampled\n    surveys to determine whether the contracting officer had asked for or received\n    any information about a contractor\xe2\x80\x99s ethics program.\n\n    Evaluation Type, Dates, and Standards. We performed this evaluation from\n    February through October 1999 in accordance with standards issued and\n    implemented by the Inspector General, DoD. We did not include tests of the\n    management control program(s).\n\n    Contacts During the Evaluation. We visited or contacted individuals and\n    organizations within the DoD. Further details are available on request.\n\nPrior Coverage\n    No prior coverage has been conducted on the subject during the last 5 years.\n\n\n\n\n                                        11\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n  Director, Defense Logistics Studies Information Exchange\n  Director, Defense Procurement\nUnder Secretary of Defense (Comptroller)\nAssistant Secretary of Defense (Legislative Affairs)\n\nDepartment of the Army\nAuditor General, Department of the Army\nCommander, United States Legal Services Agency\n\nDepartment of the Navy\nOffice of the General Counsel, Department of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nOffice of the General Counsel, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Logistics Agency\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\n\n                                         12\n\x0cEvaluation Team Members\n   This report was prepared by the Deputy Assistant Inspector General for\n   Audit Policy and Oversight, Office of the Assistant Inspector General for\n   Auditing, DoD.\n\n        Patricia A. Brannin\n        Barbara E. Smolenyak\n        Wayne C. Berry\n        Diane H. Stetler\n        Martin I. Gordon\n        Ernest R. Taylor\n        Susanne B. Allen\n\x0c'